At Switcheo, the security of our exchange and your funds are of utmost importance to us.
There are multiple layers of security in Switcheo Account to ensure that traders new to cryptocurrency trading will not get compromised. You will need to pass multiple layers of security checks before your encrypted mnemonics (backup phrase / secret key) is revealed to you.
Multi-layer Trustless Encryption
The mnemonics stored on Switcheo are encrypted with your password that is key-stretched to a length suitable for encryption purposes. This means even Switcheo cannot access them. This is as even passwords are not sent to Switcheo (a hash of it is used as the actual password for Switcheo’s off-chain authentication).
On top of that, Switcheo has an additional layer of encryption performed through an isolated service that further encrypts this already-encrypted-mnemonic with a strong server-side encryption key before it is stored in our database.
This means that even in the unlikely event that Switcheo’s database is compromised, it would be impossible to gain access to even mnemonics encrypted with weak passwords through brute-force without Switcheo’s strong encryption key.
This entire process is similar to top-tier password managers such as LastPass and 1Password. We ensure that all hashing and encryption algorithms we use (such as bcrypt and triplesec) are appropriate and state-of-the-art.
Two-Factor Authentication (2FA)
You will need to set up Two-Factor Authentication (2FA) before you can start trading. In order to access your encrypted mnemonic phrase, you will have to provide two things: password and 2FA code.
To prevent your account from being compromised by bad actors, after multiple failed login attempts, you will receive an email informing you of any suspicious activity to your account.
With the additional layer of security from setting up your 2FA, this provides you with ample time to withdraw your funds out of your account. The only way to change your 2FA is by providing your mnemonic phrase. This is never sent to our servers but instead, Switcheo verifies the mnemonic hash, and allows you to reset your 2FA.
You will be asked to enter an anti-phishing code when you create your account. Since only Switcheo knows your anti-phishing code, you should only trust emails that has the anti-phishing code badge with the exact words that you have entered.
Switcheo will never ask you for any sensitive information, like your password, mnemonic phrase, or 2FA. On top of that, upon logging into the exchange, there is a warning to make sure users are on the right website url with the green secure padlock (https://switcheo.exchange). This helps to prevent phishing sites from stealing the credentials to your account.
Make sure you are on the right website URL.
IP Address Verification
When you verify your email after creating your account, we save your location, IP address, and mark it as trusted. Every time you log into your account, we will verify your location. If it is not trusted, you will need to enter the security code sent to your email before you can log in.
In the event that you have given access to someone else who knows your email, password, and 2FA, he will also need access to your email before he can access your Switcheo Account.
Once we reveal the encrypted mnemonic to the front-end, it is decrypted using your password, so that your wallet can be unlocked. This decryption is done fully on the front-end web application, without any network communication, protecting your valuable secret keys.